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REMARKS 

The Examiner has rejected Claims 1,15, 29, 45 and 48 under 35 U.S.C. 1 12, second 
paragraph, as being indefinite. Specifically with respect to Claims 1 , 1 5 and 29, the Examiner has 
stated that it is unclear to the Examiner what "and operation substantially" means. The Examiner 
has also stated that it is unclear as to what is required by the server and that using the server for 
anything is an option. However, applicant respectfully asserts that the claim language in the 
foregoing claims expressly states that "the peer-to-peer network permits peers to connect and operate 
substantially without a server bv utilizing the server, at most, for providing addresses for the peers in 
the peer-to-peer network/^ Thus, the peers, at most, use the server for providing addresses for the 
peers in the peer-to-peer network. 

With respect to Claim 45, the Examiner has stated that it is unclear what the claim language 
means, what is taking action and what action is taken. Applicant has clarified such claim as follows: 
'Vherein a share configuration loop is executed to detect changes to shares and corresponding 
permissions, and take-an actio n is initiated as a function of a type of the changes." Applicant 
respectftiUy asserts that the actual action taken is not claimed and would unduly limit such claim. In 
addition. Claim 49 provides just one example of an action. 

With respect to Claim 48, the Examiner has staled that it is unclear why the configuration 
loop examines against a previously recorded share configuration. Applicant has clarified such claim 
as follows: 'S\4ierein the share configuration loop examines a current share configuration against a 
previously recorded shared configuratio n to detect the changes to the shares and the corresponding 
permissions ." 

It is also noted that the Examiner has attempted to interpret applicant's claimed peer-to-peer 
network to refer to, for example, any client and server communications. Applicant respectfully 
disagrees with this interpretation, especially in view of the previous amendments which require that 
*the peer-to-peer network permits peers to connect and operate substantially without a server by 
utilizing the server, at most, for providing addresses for the peers in the peer-to-peer network." 

-10- 



PAGE 1 3Q0 • RCVD AT 8n«005 7:28:2S PM CEastem DayllgM Time] * 8VR:USPTO-EFXRF-«a7 * DN1S:2738300 * CSIO:408 971 4660 * DURATION Cmm4S):09-04 



Rug 03 05 04:3Qp SVIPG 408 971 4660 P-14 



The Examiner has rejected Claims 1, 2, 5, 1 1, 15, 16, 19, 25, 29, 30, 33, 39 and 45-49 under 
35 U.S.C. 103(a) as being unpatenable over Welch, Jr. et ai. (U.S. Patent No. 5,862335) in view of 
Meadway et al. (U.S. Patent No. 6,675,205). The Examiner has also rejected Claims 4, 7, 9, 10, 12- 
14, 18, 21, 23, 24, 26-28, 32, 35, 37, 38 and 40-44 under 35 U.S.C. 103(a) as being unpatentable 
over Welch, Jr. in view of Meadway and in further view of Conklin (U.S. Patent No. 5,991,881). 
Applicant respectfully disagrees with such rejections. 



With respect to independent Claims 1, 15 and 29, the Examiner has relied on the following 
excerpts from Meadway to make a prior art showing of applicant's claimed "performing an action 
associated with a particular pattern when the particular pattern is detected in the peer-to-peer 
network" (see this or similar, but not identical language in each of the foregoing claims). 



^Expanding on the above concepts, the invented system is a service which 
performs centralized searches based on index information transmitted by- 
peer systems to the central site using an agent program running on each 
peer, and then directs the peer systems bo each other for the purpose of 
retrieving files." (Col. 1, lines 45-52-emphasis added) 

".-the file is sent by the system containing the file either to the central 
site or directly to the user who requested the file via email attachment." 
(Col. 1, lines 63-65) 

''agent program downloaded and installed by each peer system user. This 
agent program is described in detail in pending U.S. patent application 
Ser. Nos. 09/419,405, U.S. Pat. No, 6,516,337. and 09/575,971, filed May 
23, 2000, by the same inventors which are hereby incorporated by reference. 
The indexing process on each system may be initiated manually or on a 
scheduled basis, with updates transmitted whenever the user connects to the 
central service." (Col. 2, lines 1-10) 



Applicant respectfully asserts that the excerpts relied on by the Examiner simply relate to 
"direct[ing] the peer systems to each other for the purpose of retrieving files" (see emphasized 
excerpt above). In no way do such excerpts teach applicant's specific claim language, namely 
"perfomiing an action associated with a particular pattern when the particular pattern is detected..." 
(emphasis added), especially when read in the context of the remaining claim language where 
" suspicious activity [is monitored] based on [the] patterns of activity" (emphasis added). Clearly, 
simply directing peer systems to each other, as in Meadway, does not meet "performing an action 
associated with a particular pattern" where such monitoring is with respect to "suspicious activity," 
in the context claimed by applicant. 
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The Examiner has also relied on the above cited excerpts to make a prior art showing of 
applicant's claimed technique ^'wherein a pattern of activity is defined in terms of a configuration of 
shared data on a peer, the configuration establishing a baselme of authorized shares and permissions 
in association with the shared data." Applicant respectfully asserts that that nowhere in the above 
excerpts is there any mention of defining the pattern of activity "in terms of a configuration of shared 
data on a peer, the configuration establishing a baseline of autho rized shares and permissions in 
association with the shared data, " as claimed by applicant (emphasis added). 

Instead, Meadway simply teaches that "index information [is] transmitted by peer systems to 
the central site using an agent program running on each peer, and then. . .the peer systems [are 
directed] to each other for the purpose of retriievmg files" (see excerpts above). Applicant notes that 
such indexed information relates to the "contents of the files" (see Col. 2, lmel5), and therefore, no 
baseline of authorized shares and permissions is established in Meadway, in the context claimed by 
applicant. 

The Examiner has again relied on the above cited excerpts to make a prior art showing of 
applicant's claimed technique 'Svherein monitoring a peer-to-peer network comprises evaluating a 
change with respect to the shared data on a peer in the peer-to-peer network, the change being made 
vrith respect to the baseline." Applicant asserts that such excerpts yet again fail to teach "evaluating 
a change with respect to the shared data on a peer in the peer-to-peer network, the change being 
made with respect to the baseline ," as claimed by applicant (emphasis added). In the excerpts above, 
Meadway discloses that "updates [are] transmitted whenever the user connects to the central 
service." However, such updates relate to the indexing process, as disclosed in the excerpts above, 
and not "evaluating a change. . .with respect to the baseline" where such baseline is of "authorized 
shares and permissions in association with the shared data," as claimed by applicant. 

-12- 
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To establish ^ prima facie case of obviousness, three basic criteria must be met. First, there 
must be some suggestion or motivation, either in the references themselves or in the knowledge 
generally available to one of ordinary skill in the art, to modify the reference or to combine reference 
teachings. Second, there must be a reasonable expectation of success. Finally, the prior art reference 
(or references when combined) must teach or suggest all the claim limitations. The teaching or 
suggestion to make the claimed combination and the reasonable expectation of success must both be 
found in the prior art and not based on applicant's disclosure. In re Vaeck947 F.2d 488, 20 USPQ2d 
1438(Fed.CirJ991). 

Applicant respectfully asserts that at least the third element of the prima facie case of 
obviousness has not been met, since the prior art references, when combined, fail to teach or suggest 
all of the claim limitations, as noted above. Thus, a notice of allowance or a specific prior art 
showing of all of applicant's claim limitations, in combination with the remaining claim elements, is 
respectfully requested. 

Applicant further notes that the prior art is also deficient with respect to the dependent 
clahns. For example, with respect to Claim 5 et al., the Examiner has relied on Col. 3, lines 25-30 
and 45-50 in Welch to make a prior art showing of ^plicant's claimed "pattern of activity [that] is 
defined in terms of network traffic in the peer-to-peer network that uses a specific protocol." 
Applicant notes, however, that such excerpts from Welch only generally disclose "analyzing] 
logical connections and file transfers... by examining the information of layers 2,3, and 4" where 
"protocol control information 42 [is] available in layers 2, 3, 4 and 7 of a packet.'' Merely examining 
protocol control information, however, does not meet applicant's claimed •'pattern of activity", let 
alone "a pattern of activity [that] is defined in terms of network traffic. . .that uses a s pecific 
protocor ^ (emphasis added). 
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With respect to Claim 7 et al., the Examiner has relied on the following excerpt from Conklin 
to make a prior art showing of applicant's cl^dmed "pattern of activity [that] is defined in terms of 
network traffic in the peer-to-peer network having a foreign address." 



"^When a packet or accuntTilation of packets matcli a predefined intruaion 
profile the Intrusion Detection function identifies the network traffic as 
a reportable activity will construct a data structure which contains a 
date/ time stamp indicating the time of detection, the source and 
destination Internet Protocol (IP) addresses, an assigned message 
identifying the event detected. This data structure is passed to the Alert 
Notification function for processing, when a positive identification of a 
reportable activity occurs, the entire triggering packet (s) may be written 
to a log file created in the Evidence I«ogging fxmction." (Col. 5, lines 25 
3 5 -emphasis added) 



Applicant respectfully asserts that the above excerpt from Conklin only teaches that "[when] 
a packet or accumulation of packets match a predefined intrusion profile [then] a data structure [will 
be constructed] which contains. . .the source and destination. . .addresses" (see emphasized excerpt 
above). Thus, the match in Conklin is not taught to be "defined in terms of network traffic... having 
a foreign address," as claimed by applicant, but instead only general source and destination addresses 
are reported after the match is made. 



With respect to Claim 9 et al., the Examiner has relied on Col. 5, lines 33-35 of Conklin, as 
excerpted above» to make a prior art showing of applicant's claimed technique '"wherein the action 
comprises logging information about the particular pattem." However, applicant respectfully asserts 
that only **the entire triggering packetfs) [are] written to a log file" in Conklin (emphasis added), and 
not "'information about the particular pattern, ^ as claimed by applicant (emphasis added). 



With respect to Claim 1 1 et al., the Examiner has relied on the following excerpt from Welch 
to make a prior art showing of applicant's claimed technique 'Svherein the patterns of activity are 
local to a peer in the peer-to-peer network." 



**...a copy of the revised connection record 93 to the archive. This allows 
dynamic display of connection activity. Analysis o£ the packet complete, 
CME 83 branches to step 204. 

Thus, methods of monitoring both local connections and file transfers in a 
computer network have been described." (Col. 10, lines 5-10) 
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Applicant respectfully asserts that such excerpt merely discloses '^monitoring. . .local 
connections and file transfers." Clearly, mere local connections do not meet applicant's claimed 
"patterns of activity ft hatl are local to a peer in the peer-to-peer network" (emphasis added). 

With respect to Claim 13 et al., the Examiner has relied on Col. 4, lines 45-55 in Conklin to 
make a prior art showing of applicant's claimed "obtaining a set of rules specifying the patterns of 
activity and associated actions." Applicant notes, however, that the above excerpt in Conklin 
completely fails to even mention "a set of rules specifying the patterns of activit y and associated 
actions ," as claimed by applicant (emphasis added). In fact, even the Examiner, in his rejection, 
states that "Conklin disclosed obtaitung pre-stored patterns of activity in a database," but fails to 
address any "associated actions" as in applicant's claim language. 

With respect to Claim 14 et al., the Examiner has relied on the following excerpt from 
Conklin to make a prior art showing of applicant's claimed "refreshing the set of rules when the set 
of rules changes." 

'"the Intrusion Detection function examines the data in comparison to a 
series of predefined or learned patterns which are pre -stored or developed 
from data received from the network. 

In the preferred embodiment, the network data is compared to a database of 
known patterns." (Col. 4, lines 48-52) 

Applicant respectfully asserts that the above excerpt merely discloses comparing "the 
data. . .to a series of predefined or learned pattems which are pre-slored." However, nowhere in such 
excerpt or the entire Conklin reference is there any suggestion of * 'refteshing the set of rules when 
the set of rules changes," as claimed by applicant (emphasis added). 

With respect to Claim 45, the Examiner has relied on the following excerpt from Mead way to 
make a prior art showing of applicant's claimed "wherein a share configuration loop is executed to 
detect changes to shares and corresponding permissions, and take an action as a function of a type of 
the changes." 
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central service. 



The agent is also responsible for transmitting copies of the requested file 
to the systems whose requests are waiting..." (Col. 2, lines 1 lOJ 

Applicant respectfully asserts that the agent program disclosed in Meadway is merely 
associated with the indexing process where the index is of "the contents of the files" on peers (see 
Col. 2, Unes 14-15). Simply nowhere in Meadway is there even any mention of "a shared 
configuration loop [for]...detect[ingl rhnn yes to shares and mrre,sponding permissions , and tak[ingl 
an action as a function of atype of the changes," as claimed by applicant (emphasis added). 

With respect to Claims 46-48, the Examiner has again relied on Col. 2, Imes 1-10 of 
Meadway to make a prior art showing of applicant's claimed technique "wherein the share 
configuration loop is executed dynamically," "wherein the share configuration loop is executed on a 
schedule," and "wherein the share configuration loop examines a current share configuration against 
a previously recorded shared configuration to detect the changes to the shares and the corresponding 
permissions." Again, applicant respectfully asserts that such excerpt along with the entire Meadway 
reference fail to meet applicant's claimed "share configuration loop" as argued with respect to Claim 
45 above, and thus also cannot meet the instant claim language fiirther describmg the claimed share 
configuration loop. 

Witii respect to Claim 49. the Examiner has yet again relied on Col. 2. lines 1-10 along with 
Col. 2 lines 35-41 in Meadway to make a prior art showing of applicant's claimed technique where 
"if die change includes an attempt to un-share a file or directory, the action includes a log entry." 
Applicant asserts that such excerpts do not teach any sort of "attempt to un-share a file or directory" 
as claimed by applicant, but instead only disclose indexing the contents of files and an "agent that 
reports to the central server the identities of files on tiie computer that will be provided if requested 
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by others." In addition, such excerpts also faU to teach "a log entry" action if a change is made with 
respect to un-sharing a file or directory, in the manner claimed by applicant. 

Again, a notice of aUowance or a specific prior art showing of all of applicant's claim 
limitations, in combination with the remaining claim elements, is respectfully requested. 

Thus, all of the independent claims are deemed allowable. Moreover, the remaining 
dependent claims are further deemed allowable, in view of thek dependence on such independent 
claims. 

hi die event a telephone conversation would expedite the prosecution of this application, the 
Examiner may reach die undersigned at (408) 505-5 100, lUe Commissioner is authorized to charge 
any additional fees or credit any overpayment to Deposit Account No. 50-135 1 (Order No. 
NAI1P344/0 1.249.01). 

RespectftCBy subttiitted, 
Kevin J^ilka 

P.O. Box 721 120 Registimion No. 41,429 

San Jose, CA 95172-1120 

408-505-5100 
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